Post on 02-Jan-2017
transcript
Canon imageRUNNER ADVANCE Hardening Guide
1
Canon imageRUNNER ADVANCE Hardening Guide 2016
2
Canon imageRUNNER ADVANCE Hardening Guide
Canon imageRUNNER ADVANCE Hardening Guide
3
Introduction Modern Canon Multifunction Devices (MFDs) provide print, copy, scan, send and fax functionality. MFDs are computer servers in their own right, providing a number of networked services along with significant hard drive storage.
When an organisation introduces these devices into their infrastructure, there are a number of areas that should be addressed as part of the wider security strategy, which should look to protect the confidentiality, integrity and availability of your networked systems.
Clearly, deployments will differ and organisations will have their own specific security requirements. While we work together to ensure that Canon devices are shipped with appropriate initial security settings, we aim to further support this by providing a number of configuration settings to enable you to more closely align the device to the requirements of your specific situation.
This document is designed to provide sufficient information to enable you to discuss with Canon or Canon partner the most appropriate settings for your environment. Once decided, the final configuration can be applied to your device or fleet. Please feel free to contact Canon or a Canon partner for further information and support.
Who is this document meant for?This document is aimed at anybody who is concerned with the design, implementation and securing of office multifunction devices (MFDs) within a network infrastructure. This might include IT and network specialists, IT security professionals, and service personnel.
Scope and coverage The guide explains and advises on the configuration settings for two typical network environments, so that organisations can securely implement an MFD solution based on best practice. These settings have been tested and validated by Canon’s ICT Security team.
We make no assumptions about specific industry sector regulatory requirements that may impose other security considerations and are out of scope of this document.
This guide was created based upon the typical feature set of the imageRUNNER ADVANCE C5255i, and while the information here applies to all models and series within the imageRUNNER ADVANCE range, some features may differ between models.
Implementing appropriate MFD security for your environment
To explore the security implications of implementing a multifunction device as part of your network, we have considered two typical scenarios:
• A typical small office environment
• An enterprise office environment
4
Canon imageRUNNER ADVANCE Hardening Guide
Typically, this will be a small business environment with an un-segmented network topology. It uses one or two MFDs for its internal use and these devices are not accessible on the Internet.
While mobile printing is available, additional solution components will be required. For those users requiring printer services outside of a LAN environment, a secure connection is required, but this will not be covered in this guide. However, attention should be paid to the security of the data in transit between the remote device and the print infrastructure.
Figure 1 Small Office Network
PSTN
www
Internet
Mobile device:External user
Mobile device:Internal user
File serverFirewall
Wireless Access Point
Multi-functionaldevice
Client PC
Fax
Small office environment
Canon imageRUNNER ADVANCE Hardening Guide
5
Configuration Considerations
Please note that unless a feature of the imageRUNNER ADVANCE is mentioned below, it is regarded as being sufficient in the default settings for this business and network environment.
imageRUNNERADVANCE Feature Description Consideration
Service Mode Allows access to Service Mode settings
Password protect with a non-default, non-trivial and maximum length password
Service Management Mode
Allows access to various non- standard device settings
Password protect with a non-default, non-trivial and maximum length password
SMB Browse/Send Store and retrieve to and from Windows /SMB network shares
System administrators should, by policy, disallow any users from creating local accounts on their client machine for use in sharing documents with the imageRUNNER ADVANCE over SMB
Remote UI Web-based configuration tool
The imageRUNNER ADVANCE administrator should enable HTTPS for the remote UI and disable HTTP access. Enable the use of PIN authentication unique to each device
SNMP Network monitoring integration Disable version 1 and enable version 3 only
Send to e-mail and/or IFAX
Send emails from the device with attachments
Enable SSLDo not use the POP3 authentication before SMTP send Use SMTP authentication
POP3 Automatically fetch and print documents from mailbox
Enable SSLEnable POP3 authentication
Address book / LDAPUse directory service to look up home number or email addresses to send scans to
Enable SSLDo not use domain credentials to authenticate against the LDAP server; use LDAP specific credentials
FTP PrintUpload & download documents to and from the embedded FTP server
Turn on FTP authentication. Be aware that FTP traffic will always travel in clear text over the network
WebDAV Send Scan and Store documents on a remote location Enable authentication for WebDAV shares
Encrypted PDF Encrypt documents By policy sensitive documents should only be encrypted using PDF version 1.6 (AES-128)
Secure Print
Print job is sent to the device but locked in the print queue until the corresponding PIN number is entered
Enable PIN protected print jobs
Embedded web browser Browser access to Internet
Enforce through administration, the use of a content filtering web proxy to avoid malicious or viral content being accessed. Disable the creation of favourites
Wireless LAN Provides Wireless access Use WPA-PSK/WPA2-PSK with strong passwords
Table 1 Small Office Environment Configuration Considerations
6
Canon imageRUNNER ADVANCE Hardening Guide
This is typically a multi-site, multi-office environment with segmented network architecture. It has multiple MFDs deployed on a separate VLAN accessible for internal use via print server(s). These MFDs are not accessible from the Internet.
This environment will usually have a permanent team to support its networking and back- office requirements along with general computer- issues but it is assumed they will not have specific MFD training.
Figure 2 Enterprise Office work
PSTN
www
Internet
Mobile device:External user
Mobile device:Internal user
File server
Firewall
Wireless Access Point
Multi-functionaldevice
Multi-functionaldevice
Client PC
Fax
General network infrastructure
Dedicated Print VLAN
An Enterprise Office Environment
Canon imageRUNNER ADVANCE Hardening Guide
7
Table 2 Enterprise Office Environment Configuration Considerations
Configuration considerations
Please note that unless a feature of the imageRUNNER ADVANCE is mentioned below it isregarded as being sufficient in the default settings for this business and network environment.
imageRUNNERADVANCE Feature Description Consideration
Service Mode Allows access to Service Mode settings
Password protect with a non-default, non-trivial and maximum length password
Service Management Mode
Allows access to various non- standard device settings
Password protect with a non-default, non-trivial and maximum length password
SMB Browse/Send
Store and retrieve to and from Windows /SMB network shares
System administrators should, by policy, disallow any users from creating local accounts on their machine for use in sharing documents with the imageRUNNER ADVANCE over SMB
Remote UI Web-based configuration tool
Following initial device configurations disable the Remote UI completely by disabling HTTP and HTTPS
SNMP Network monitoring integration Disable version 1 and enable version 3 only
Send to e-mail and/or IFAX
Send emails from the device with attachments
Enable SSLEnable:- Certificate verification at the SMTP serverOr if not viable: - Only use this feature in an environment where a Network Intruder Detection System collector is presentDo not use the POP3 authentication before SMTP sendUse SMTP authentication
POP3Automatically fetch and print documents from mailbox
Enable SSLEnable:- Certificate verification at the POP3 serverOr if not viable: - Only use this feature in an environment where a Network Intruder Detection System collector is presentEnable POP3 authentication
Address book / LDAPUse directory service to look up phone number or email addresses to send scans to
Enable SSL Enable:- Certificate verification at the LDAP server OR if not viable - Only use this feature in an environment where a Network Intruder Detection System collector is present Do not use domain credentials to authenticate against the LDAP server; use LDAP specific credentials
IPP Connect and send printing jobs over the network Disable IPP
WebDAV Send Scan and Store documents on a remote location
Enable authentication for the WebDAV sharesEnable SSLEnforce the printer to only allow files ending with the “file printing extensions” to be uploaded
IEEE802.1X Network access authentication mechanism EAPOL V1 supported
Encrypted PDF Encrypt documents By policy sensitive documents should only be encrypted using PDF version 1.6 (AES-128)
Encrypted Secure Print
Enhance the protection of Secure Print by encrypting the file and the password during transmission
Configure the username in the Printer tab on the client printer configuration to a different username than the LDAP/domain credentials of that user. Ensure “Restrict printer jobs” is turned off
Wireless LAN Provides Wireless access Use WPA-PSK/WPA2-PSK with strong passwords
8
Canon imageRUNNER ADVANCE Hardening Guide
For Canon or a Canon Partner to be able to provide efficient service, the imageRUNNER ADVANCE is capable of transmitting service related data, as well as receiving firmware updates or software applications. It should be noted that no image or image metadata is sent.
Shown below are two possible implementations of Canon’s remote services within a company network.
Implementation scenario 1: Dispersed connection
In this setting, each MFD allows direct connection to the remote service through the Internet.
Figure 3 Dispersed connection
PSTN
wwwCanon
Universal Gateway
InternetCanon Remote Services Mobile device:
External user
Mobile device:Internal user
File serverFirewall
Wireless Access Point
Multi-functionaldevice
Embedded e-Maintenance, Content Delivery System, Remote Support Operator’s Kit
Client PC
Fax
Remote Device Support
Canon imageRUNNER ADVANCE Hardening Guide
9
Figure 4 Centralized managed connection
PSTN
www
Internet
Mobile device:External user
Mobile device:Internal user
Print server
Firewall
Wireless Access Point
Multi-functionaldevice
Multi-functionaldevice
Client PC
Fax
iW MC
General network infrastructure
Dedicated Print VLAN
Canon Universal Gateway
Canon Remote Services
Embedded Remote Support Operator’s Kit
With supportingplug-ins
Implementation Scenario 2: Centralised Managed Connection
In an enterprise environment scenario, where multiple MFDs are installed, there is a need to be able to efficiently manage these devices from one central point, and this includes the connection to Canon’s remote services. To facilitate the holistic management approach, individual devices would establish management connections through a single iW Management Console (iWMC) connection point. For communication between the Device Firmware Upgrade (DFU) plug-in and Multi-Functional Devices, UDP port 47545 is used.
e-Maintenance
The e-Maintenance system provides an automated way of collecting device usage counters for billing purposes, consumables management and remote device monitoring through status and error alerts.
The e-Maintenance system consists of an Internet facing server (UGW) and either an embedded Multi-Functional Device software (eRDS) and/or additional server-based software (RDS plug-in) to collect device service related information. The eRDS is a monitoring program which runs inside the imageRUNNER ADVANCE. If the monitoring
option is enabled in the device settings, the eRDS obtains its own device information and sends it to the UGW. The RDS plug-in is a monitoring program which is installed in a general PC, and can monitor 1 to 3000 devices. It obtains the information from each device via network and sends it to the UGW.
The table shown on the next page overviews the data transferred, protocols (depends upon options selected during the design and implementation) and ports used. At no point is any copy, print, scan or fax image data transferred.
10
Canon imageRUNNER ADVANCE Hardening Guide
Description Data Handled Proctocol/Port Port
Communication between eMaintenance (eRDS or RDS plug-in) and UGW
UGW web service addressProxy server address / port numberProxy account / passwordUGW mail destination addressSMTP server addressPOP server address
Device status, counter and model informationSerial numberRemaining toner/Ink informationFirmware informationRepair request informationLogging informationService callService alarmJamEnvironmentCondition log
HTTP HTTPS SMTP POP3
TCP/80TCP/443TCP/25TCP/110
Communication between eMaintenance and Device (only RDS plug-in, as eRDS is embedded software)
SNMP Canon proprietary
SLP SLP HTTPS
UDP/161TCP/47546, UDP/47545, TCP9007UDP/427UDP/11427TCP/443
Description Data Sent Proctocol/Port Port
Communication between the MFD and UGW
Device serial numberFirmware versionLanguageCountryInformation relating to the device EULA
HTTP HTTPS
TCP/80TCP/443
Communication between the UGW and MFD
Test file (Binary random data) for communication testing
Firmware or MEAP application binary data
HTTP HTTPS
TCP/80TCP/443
Table 3 E-Maintenance Data Overview
Table 4 Content Delivery System Data Overview
Content Delivery System
The Content Delivery System (CDS) establishes a connection between the MFD and Canon Universal Gateway (UGW). It provides device firmware and application updates.
A specific CDS access URL is pre-set in the device configuration.If there is a requirement to provide centralised device firmware and application management from within the infrastructure, a local installation of iWMC with Device Firmware Upgrade (DFU) plug-in and Device Application Management plug-in will be required.
Canon imageRUNNER ADVANCE Hardening Guide
11
Description Data Sent Proctocol Port
VNC password authentication User password DES encryption 5900
Operation ViewerDevice control panel- screen data- hardware key operation
Version 3.3 RFB protocol
5900
Table 5 Remote Support Operator’s Kit Data Overview
Remote Support Operator’s Kit
The Remote Support Operator’s Kit (RSOK) provides remote access to the device control panel. This server-client type system consists of a VNC server running on MFP and Remote Operation Viewer VNC Microsoft Windows client application.
Figure 5 Remote Support Operator’s Kit (RSOK) Setup
MFD with RSOKenabled (VNC server)
User
PC with RSOK Viewer VNC
client
General network infrastructure
MFD operating panel accessed via the PC
MFD Operating Panel
12
Canon imageRUNNER ADVANCE Hardening Guide
AppendixFactory defaults
The tables listed in this section provide an overview of selected key configuration options available in the imageRUNNER ADVANCE, and the factory defaults for each option. This information is based on the imageRUNNER ADVANCE C5255i model. For the full list of configuration options or other models from the imageRUNNER ADVANCE range please refer to the Settings/Registration table in the relevant device User Manual.
Explanation:
Setting description – This defines the User Mode setting allowing configuration. These settings are only available to administrators and not accessible to general device users.
Can be set in Remote UI – The imageRUNNER ADVANCE platform provides remote configuration through a web services interface (Remote UI). This interface provides access to a number of device configuration settings. It can be disabled if not permitted and password protected to prevent unauthorised access.
Device Information Delivery Available - Various machine settings can be sent over the network and automatically applied to other Canon multifunction printers. With this function, a host machine is designated whose registered information (such as the settings in the Settings/Registration menu and address lists) is distributed to other client machines, enabling automated alignment of configuration settings with the host machine.
We recommend that any services not in use are disabled. Please contact your local Canon representative for further information.
Network table
If you are configuring the settings for the first time in “Interface Settings,” “TCP/IPv4 Set-tings,” “TCP/IPv6 Settings,” or “Settings Common to TCP/IPv4 and TCP/IPv6,” use the control panel of the machine. After configuring the TCP/IP settings, you can change them using the Remote UI.
In the NetWare or AppleTalk network, the TCP/IP protocol must be used to specify the set-tings with software other than the control panel of the machine. The setting items are shown below.
Some items can be set using the Remote UI. Use the control panel of the device to set items which cannot be set using the Remote UI.
*Default Settings*1 Indicates items that appear only when the appropriate optional equipment is attached.
Canon imageRUNNER ADVANCE Hardening Guide
13
Item Setting Description Can be set in Remote UI
User Data List Print List Yes
Confirm Network Connection Set. Changes On, Off* No
TCP/IP Settings
IPv4 Settings
Use IPv4 On*, Off Yes
IP Address Settings
IP Address:0.0.0.0*
Yes
Subnet Mask:0.0.0.0*
Gateway Address:0.0.0.0*
DHCP: On, Off*
RARP: On, Off*
BOOTP: On, Off*
PING Command IP Adress:0.0.0.0* No
IPv6 Settings
Use IPv6 On, Off* Yes
Stateless Address Settings Use Stateless Address: On*, Off Yes
Manual Address Settings
Use Manual Address: On, Off*
YesManual Address:IPv6 Address(39characters maximum)
Prefix Length:0 to 128(64*)
Default Router Address(39 characters maximum)
Use DHCPv6 On, Off* Yes
PING Command IPv6 Address:(39characters maximum) Yes
Host Name 48 characters maximum Yes
DNS Settings
DNS Server Address Settings
IPv4Primary DNS Server: IP Address:0.0.0.0*
YesSecondary DNS Server: IP Address:0.0.0.0*
IPv6Primary DNS Server:IPv6 Address
YesSecondary DNS Server:IPv6 Address
DNS Host/Domain Name Settings
IPv4Host Name:47 characters maximum
YesDomain Name:47 characters maximum
IPv6Use Same Host Name/Domain Name as IPv4:On, Off*
YesHost Name:47 characters maximum
DNS Dynamic Update Settings
IPv4 DNS Dynamic Update: On, Off* Yes
IPv6
DNS Dynamic Update: On, Off*
YesRegister Stateless Address: On, Off*
Register Manual Address: On, Off*
Register Stateless Address: On, Off:
WINS Settings
WINS Resolution On, Off* Yes
WINS Server Address IP Address:0.0.0.0* Yes
Node Type Auto Set, display only No
Scope ID 63 characters maximum Yes
LPD Print Settings
LPD Print Settings On*, Off Yes
LPD Banner Page*1 On, Off* Yes
RAW Print Settings
RAW Print Settings On*, Off Yes
Bidirectional Communication On, Off* Yes
14
Canon imageRUNNER ADVANCE Hardening Guide
Item Setting Description Can be set in Remote UI
SNTP Settings
Use SNTP On, Off* Yes
Polling Interval Interval for performing time synchronization (1 to 48 hours)(24hours*) Yes
NTP Server Address IP address or host name Yes
Check NTP Server - Yes
FTP Print Settings
Use FTP Print On, Off* Yes
User User name for FTP server login (24 characters maximum) (guest*) Yes
Password Password for FTP server login (24 characters maximum) (7654321*) Yes
WSD Print Settings
Use WSD Print On*, Off Yes
Use WSD Browsing On*, Off Yes
Use Multicast Discovery On*, Off Yes
Use FTP PASV Mode
Use FTP PASV Mode On, Off* Yes
BMLinkS Settings
Use BMLinkS On, Off* Yes
Discovery Sending Interval 30 mins*, 1, 3, 6, 12, 24 hrs Yes
Location InformationCountry / Region Yes
Company/Org. Name, Dept. Name, Bldg. Name, Floor No., Block Name Yes
IPP Print Settings
IPP Print Settings On* Off Yes
Use SSL On, Off* Yes
Use Authentication On, Off* Yes
User User name for FTP server login (24 characters maximum) (guest*) Yes
Password Password for FTP server login (24 characters maximum) (7654321*) Yes
Multicast Discovery Settings
Response On* Off Yes
Scope name Scope name to be used for a multicast discovery (32 charac-ters maximum) Yes
Use HTTP On* Off Yes
Use Web DAV Server On, Off* Yes
SSL Settings Functions using SSL encrypted communications Yes
Key and Certificate
Set as the Default Key - Yes
Certificate DetailsVersion/Serial Number/Signature Algorithm/Issue Destination/Start Date of Validity/End Date of Validity/ Issuer/Public Key/Cert Thumbprint/ Certificate
Yes
Display Use Location Displays what the key pair is being used for Yes
Proxy Settings
Use proxy On, Off* Yes
Server Address IP address or FQDN(128 characters maximum) Yes
Port Number 1to 65535(80*) Yes
Use Proxy within the Same Domain On, Off* Yes
Set Authentication
Use Proxy Auth. On, Off* Yes
User Name 24 characters maximum Yes
Password 24 characters maximum Yes
Canon imageRUNNER ADVANCE Hardening Guide
15
Item Setting Description Can be set in Remote UI
Confirm Dept. ID PIN On*, Off Yes
IPSec Settings
Use IPSec On, Off* Yes
Receive Non-policy Packets Allow/Reject Yes
Edit Yes
Delete Yes
Policy On, Off Yes
Register
Policy Name 24 characters maximum Yes
Register: Selector Settings
Local Address: Yes
All IP Addresses*/IPv4 Address/IPv6 Address/IPv4 Manual Settings/IPv6 Manual Settings Yes
Remote Address: Yes
All IP Addresses*,All IPv4Address,All IPv6Address,IPv4 Manual Settings,IPv6 Manual Settings Yes
Port: Specify by Port Number*/Specify by Service Name Yes
IKE Settings
IKE mode : Main*/Aggressive Yes
Authentication Method : Pre-Shared Key Method*/Digital sig. Method Yes
Auth./Encryption Algorithm : Auto*/Manual Settings Yes
IPSec Network Settings
Validity : Time(1to65535minuites)(480minuites*) Yes
Validity : Size(1to65535 MB)(65535 MB*) Yes
PFS : On, Off* Yes
Auth./Encryption Algorithm : Auto*/Manual Settings Yes
Connect. Mode : Transport, display only -
NetWare Settings
Use NetWare On, Off* Yes
Frame Type Auto Detect*/Ethernet II/Ethernet 802.2/Ethernet 802.3/Ethernet SNAP Yes
IPX External Network Number Auto Set, display only -
Node Number Auto Set, display only -
Print Service Bindery PServer,R Printer,NDS Pserver*,Nprinter Yes
Packet Signature Auto Set, display only -
Bindery Pserver Settings
Print Server Name 47 characters maximum Yes
File Server Name 47 characters maximum Yes
Print Server Password 20 characters maximum Yes
Printer Number 0to15(0*) Yes
Polling Interval 1to15seconds(5sedonds*) Yes
Printer Form 0to255(0*) Yes
Buffer Size 1to20KB(20KB*) Yes
Service ModeService only currently mounted form/Change forms as needed/Minimize form changes across print queues/Mini-mize form changes within print queues*
Yes
Rprinter Settings
Print ServerName 47 characters maximum Yes
File ServerName 47 characters maximum Yes
Printer Number 0to15(0*) Yes
NDS PServer Settings
Print ServerName 64 characters maximum Yes
Tree Name 32 characters maximum Yes
Context 256 characters maximum Yes
16
Canon imageRUNNER ADVANCE Hardening Guide
Item Setting Description Can be set in Remote UI
Print Server Password 20 characters maximum Yes
Printer Number 0to254(0*) Yes
Polling Interval 1to255seconds(5seconds*) Yes
Printer Form 0to255(0*) Yes
Buffer Size 3to20KB(20KB*) Yes
Service ModeService only currently mounted form/Change forms as needed/Minimize form changes across print queues/ Minimize form changes within print queues*
Yes
NPrinter Settings
Print ServerName 64 characters maximum Yes
Tree Name 32 characters maximum Yes
Context 256 characters maximum Yes
Printer Number 0to254(0*) Yes
AppleTalkSettings
Use Apple Talk On, Off* Yes
Phase Phase 2(fixing) -
Service Name 32 characters maximum Yes
Zone 32 characters maximum Yes
Print Mode Both*, Spool, Direct Yes Yes
SMB Server Settings
Use SMB Server On, Off* Yes
ServerName 15 characters maximum(Canon+represents the last six digits of a MAC address) Yes
Workgroup 15 characters maximum(WORKGROUP*) Yes
Comment 48 characters maximum Yes
LM Announce On, Off* Yes
SMB Printer Settings
Use SMB Print On, Off* Yes
Printer Name 13 characters maximum(PRINTER) Yes
SMB Auth. Settings
Use SMB Authentication On, Off* Yes
Authentication Type NTLMv1*,NTLMv2* Yes
SNMP Settings
Get Printer Mgmt Info from Host On, Off* Yes
Use SNMPv1 On*, Off Yes
Dedicated Community Settings
Dedicated Community On*, Off
MIB Access Permission Read/write, Read Only
Community Name1Settings
Community Name1 On*, Off Yes
MIB Access Permission Read/Write/Read Only* Yes
Community Name Community Name(32 characters maximum)(public*) Yes
Community Name2 Settings
Community Name2 On, Off* Yes
MIB Access Permission Read/Write/Read Only* Yes
Community Name Community Name(32 characters maximum)(public2*) Yes
Use SNMPv3 On, Off* Yes
User Settings
User On, Off - Yes
RegisterUser/MIB Access Permission/Security Settings/Authent. Algorithm/Authent.Password/Encryption Algorithm/ Encryption Password
Yes
Details/EditUser/MIB Access Permission/Security Settings/Authent. Algorithm/Authent.Password/Encryption Algorithm/ Encryption Password
Yes
Canon imageRUNNER ADVANCE Hardening Guide
17
Item Setting Description Can be set in Remote UI
Delete - Yes
Context Settings Context Name(32 characters maximum)
Register Context Name(32 characters maximum) Yes
Edit - Yes
Delete Yes
Dedicated Port Settings
Dedicated Port Settings On*, Off Yes
Use Spool Function
Use Spool Function On, Off* Yes
Startup Settings
Startup Settings 30 to 300 seconds (30*) Yes
Ethernet Driver Settings
Auto Detect On*, Off Yes
Communication Mode Half Duplex*/Full Duplex Yes
Ethernet Type 10 Base-T*,100 Base-TX,1000 Base-T Yes
MAC Address Display only -
IEEE802.1X Settings
Use IEEE802.1X On, Off* Yes
User Name of the user to be authenticated with IEEE802.1X authentication Yes
Password Password of the user to be authenticated with IEEE802.1X authentication Yes
TLS Settings
Use TLS On, Off* Yes
Key and Certificate
Set as the Default Key - Yes
Certificate DetailsVersion/Serial Number/Signature Algorithm/Issue Destination/Start Date of Validity/End Date of Validity/ Issuer/Public Key/Cert.Thumbprint/ Certificate
Yes
Display Use Location Displays what the key pair is being used for. Yes
TTLS Settings
Use TTL Use TTL On, Off* Yes
TTLS Settings MSCHAPv2*,PAP Yes
PEAP Settings
Use PEAP On, Off* Yes
Same User Name as Login Name - Yes
User Name 24 characters maximum Yes
Password 24 characters maximum Yes
Firewall Settings
IPv4 Address Filter
Send Filter - Yes
Use Filter On, Off* Yes
Default Policy Allow/Reject Yes
IPv4 Address Up to 16 IPv4 addresses can be stored. Yes
Receive Filter
Use Filter On, Off* Yes
Default Policy Allow/Reject Yes
IPv4 Address Up to 16 IPv4 addresses can be stored. Yes
IPv6 Address Filter
Send Filter
Use Filter On, Off* Yes
Default Policy Allow/Reject Yes
IPv6Address Up to 16 IPv4 addresses can be stored. Yes
18
Canon imageRUNNER ADVANCE Hardening Guide
Item Setting Description Can be set in Remote UI
RecieveFilter
Use Filter On, Off* Yes
Default Policy Allow/Reject Yes
IPv6Address Up to 16 IPv4 addresses can be stored. Yes
MACAddressFilter
Send Filter
Use Filter On, Off* Yes
Default Policy Allow/Reject Yes
MACAddress Up to 100 IPv4 addresses can be stored. Yes
RecieveFilter
Use Filter On, Off* Yes
Default Policy Allow/Reject Yes
MACAddress Up to 100 IPv4 addresses can be stored. Yes
IP Address Block Log Time, Category, IP Address, Result Yes
Item Setting Description Device Information Delivery Available
USB Settings
Use USB Device On*, Off Yes
Use USB Host On*, Off Yes
Use MEAP Driver for USB Device On*, Off Yes
Use MEAP Driver for USB External Drive On*, Off Yes
Item Setting Description Device Information Delivery Available
Output Report
TX/RX User Data List Print No
Fax User Data List*1 Print No
Common Settings
Register Favourite Settings Edit Fa-vourite Settings Register/Edit, Delete (M1 to M18), Check Content Yes
Show Comment On, Off* Yes
Display Confirmation for Favourite Settings On*, Off No
Change Default Screen Standard*, Address Book, One-touch, Favourite Settings No
Change Default Settings Register, Initialize No
Register [Options] Shortcuts
Shortcut 1 2-Sided*, No Settings No
Shortcut 2 Different Size Originals*, No Settings No
TX Report For Error Only*,On, Off Yes
Report with TX Image On*, Off Yes
Report with Colour TX Image On, Off* Yes
External Interface
* Default Settings
Send
* Default Settings*1 Indicates items that appear only when the appropriate optional equipment is attached.*4 Indicates item that appears only if the Super G3 2nd Line Fax Board is installed in addition to installing the Super G3 FAX Board.*5 Indicates item that appears only if the Super G3 3rd/4th Line Fax Board is installed in addition to installing the Super G3 FAX Board
Canon imageRUNNER ADVANCE Hardening Guide
19
Item Setting Description Device Information Delivery Available
Communication Activity Report
Auto Print (100 Transmissions) On*, Off Yes
Specify Print Time On, Off* Yes
Timer Setting 00 : 00 to 23 : 59(00 : 00*) Yes
Send/Receive Separate On, Off* Yes
TX Terminal ID
Print*, Do Not Print Yes
Printing Position: Inside, Outside*, Display Destination Unit Name: On*, Off Telephone # Mark*1: Fax*, TEL
Yes
Delete Failed TX Jobs On*, Off Yes
Retry Times 0 to 5times(3times*) Yes
Data Compression Ratio Compact, Normal*, Low Ratio Yes
YCbCr TX Gamma Value Gamma 1.0, Gamma 1.4, Gamma 1.8*, Gamma 2.2 Yes
Use Chunked Encoding with WebDAV Sending On*, Off Yes
Limit New Destinations
Fax On, Off* Yes
E-mail On, Off* Yes
I-Fax On, Off* Yes
File On, Off* Yes
Always Add Device Signature to Send*1 On, Off* Yes
Restrict File Formats On, Off* Yes
E-mail/Ifax Settings
Register Unit Name 24 characters maximum No
Communication Settings
SMTP Receive On*, Off Yes
POP On* Off Yes
SMTP Server Server name or IP Address(48characters maximum) No
E-mail Address 64 characters maximum No
POP Server Server name or IP Address(48characters maximum) No
POP Address 32 characters maximum No
POP Password 32 characters maximum No
POP Interval 0* to 99(If the interval is set to ‘0’, the incoming e-mail is not checked automatically.) No
POP AUTH Method Standard*/APOP/POP AUTH Yes
POP Authentication before Sending On, Off* No
SMTP Authentication (SMTP AUTH) On, Off* No
User User name for SMTP authentication (64 characters maximum) No
Password Password for SMTP authentication(32 characters maximum) No
Allow SSL(POP) On, Off* No
Display Auth. Screen When Send On*, Off No
Allow SSL(SMTP Receive) Always SSL, On, Off* No
Maximum Data Size for Sending 0 =(Off)/1 to 99 MB(3MB*) Yes
Default Subject 40 characters maximum (Attached Image*) Yes
Use SMTP Authentication for Each User On*, Off No
Specify Authentication User Dest. to Reply On, Off* No
Set Authorized User Destination to Sender On*, Off No
Allow Sending to Unregistered Destinations On, Off* Yes
Full Mode TX Timeout 1 to 99hours (24hours*) Yes
20
Canon imageRUNNER ADVANCE Hardening Guide
Item Setting Description Device Information Delivery Available
Print MDN/DSN upon Receipt On, Off* Yes
Use Send via Server On, Off* Yes
Allow MDN Not via Server On*, Off Yes
Restrict TX Destination Domain
Restrict TX Destination Domains On, Off* Yes
Permitted Domains Register, Details/Edit, Delete No
Autocomplete for Entering E-mail Addresses On*, Off Yes
Fax Settings
Default Screen Standard*, Address Book No
Change Default Settings Register, Initialize No
Register [Options] Shortcuts
Shortcut 1 Density*, No Settings No
Shortcut 2 Original Type*, No Settings No
Shortcut 3 2-Sided Original*, No Settings No
Shortcut 4 Different Size Originals*, No Settings No
Register Sender Name (TTI) 01 to 99 : Register/Edit, Delete No
Off-Hook Alarm On*, Off No
ECM TX On*, Off Yes
Set Pause Time 1 to 15seconds (2seconds*) Yes
Auto Redial On, Off Yes
Redial Times 1 to 15times (2times*) Yes
Redial Interval 2 to 99minutes (2minutes*) Yes
Redial When TX Error Error and 1st page*, All pages, Off Yes
Check Dial Tone Before Sending On*, Off Yes
Fax TX Report For Error Only*,On, Off Yes
Report with TX Image On*, Off Yes
Fax Activity Report
Auto Print (40 Transmissions) On*, Off Yes
Specify Print Time On, Off* Yes
Timer Setting 00 : 00 to 23 : 59(00 : 00*) Yes
Send/Receive Separate On, Off* Yes
Set Line
Register User Telephone No. 20 digits maximum No
Register Unit Name 24 characters maximum No
Select Line Type Pulse, Tone* No
Line (2 to 8)
If the Super G3 FAX Board and Super G3 2nd Line Fax Board are installed:• Line 2
No
If the Super G3 FAX Board, Super G3 2nd Line Fax Board, and Super G3 3rd/4th Line Fax Board are installed:• Line 2, Line 3, Line 4
No
Select TX Line
If the Super G3 FAX Board is installed:• Line 1: Priority TX, Prohibit TX* No
If the Super G3 FAX Board and Super G3 2nd Line Fax Board are installed:• Line 1: Priority TX, Prohibit TX*• Line 2: Priority TX, Prohibit TX
No
If the Super G3 FAX Board, Super G3 2nd Line Fax Board, and Super G3 3rd/4th Line Fax Board are installed:• Line 1: Priority TX, Prohibit TX*• Line 2: Priority TX, Prohibit TX• Line 3: Priority TX, Prohibit TX• Line 4: Priority TX, Prohibit TX
No
TX Start Speed 33600 bps*,14400 bps,9600 bps,7200 bps,4800 bps,2400 bps Yes
FIS Switch On, Off* Yes
Canon imageRUNNER ADVANCE Hardening Guide
21
Item Setting Description Device Information Delivery Available
PIN Code Access On, Off* Yes
Line1 On, Off* Yes
Line2*8 On, Off* Yes
Line3*9 On, Off* Yes
Line4*9 On, Off* Yes
Confirm Entered Fax Numbers On, Off* Yes
Allow Fax Driver TX On*, Off Yes
Remote Fax TX Settings
Remote Fax Server Address Host name or the IP address (48 characters maximum) No
TX Timeout 1 to 99hours(24hours*) Yes
Select TX Line 1 to 4Line(1*) No
Select Priority Line Auto*, Line1,Line2*10,Line3*10,Line4*10 No
Remote Fax Settings
Use Remote Fax On*, Off Yes
Item Setting Description Device Information Delivery Available
Output Report
TX/RX User Data List Print No
Fax User Data List*1 Print No
Common Settings
Print on Both Side On, Off* Yes
Select Drawer
SwitchA On*, Off Yes
SwitchB On*, Off Yes
SwitchC On*, Off Yes
SwitchD On*, Off Yes
Reduce Fax RX Size On*, Off Yes
On• Reduction Mode: Auto*, Fixed• Reduction %: 75 to 97% (90%*)• Reduction Direction: Vertical & Horizontal, Vertical Only*
Yes
2 On 1 Log On, Off* Yes
Received Page Footer On, Off* Yes
YCbCr RX Gamma Value Gamma 1.0, Gamma 1.4, Gamma 1.8*, Gamma 2.2 Yes
Handle Files with Forwarding Errors Always Print, Store/Print, Off* Yes
Forwarding SettingsReceive Type, Validate/Invalidate, Register (Registered For-warding Settings), Forward w/o Conditions, E-Mail Priority, Details/Edit, Delete, Print List
Yes*11
Receive Tray Settings
Set Fax/I-Fax Inbox
Set/Register Confidential Fax Inboxes 00 to 49 Yes
Register Box Name: 24 characters maximum Yes
PIN Seven digits maximum Yes
URL Send Settings - Yes
Initialize - No
Memory RX Inbox PIN Seven digit number No
Receive/Forward
* Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached. *7 Indicates item that is not delivered as device information. Receive Type, Details/Edit, Delete, Print List, E-Mail Priority
22
Canon imageRUNNER ADVANCE Hardening Guide
Item Setting Description Device Information Delivery Available
Use Fax Memory Lock*1 On, Off* Yes
Use I-Fax Memory Lock On, Off* Yes
Memory Lock Start Time Every day, Select Days, Off* Yes
Memory Lock End Time Every day, Select Days, Off* Yes
Divided Data RX Timeout 0 to 99 hours(24hours*) Yes
Always Send Notice for RX Errors *On, Off Yes
Fax Settings*1
ECM RX *On, Off Yes
Select RX Mode
Auto RX*, Fax/Tel Auto Switch Yes
Fax/Tel Auto Switch• Ring Start Time: 0 to 30 sec (8 sec*)• Ring Time: 15 to 300 sec (17 sec*)• F/T Switch Action: End, Receive*• Outgoing Message: On, Off*
Yes
Remote RXOn, Off* No
On• Remote RX ID: 00 to 99 (25*) No
RX Manual/Auto Switch
On, Off* Yes
On• F/T Ring Time: 1 to 99 sec (15 sec*) Yes
Fax RX Report For Error Only, On, Off* Yes
Confidential Fax Inbox RX Report On*, Off Yes
Receive Start Speed 33600 bps*,14400 bps,9600 bps,7200 bps,4800 bps,2400 bps Yes
Receive Password 20 digits maximum No
Set Number Display Yes
Line1*1 On, Off* Yes
Line2*1 On, Off* Yes
Line3*1 On, Off* Yes
Line4*1 On, Off* Yes
Item Setting Description Device Information Delivery Available
Common Settings
Scan and Store Settings
Register/Edit Favorite Settings Register/Edit, Delete (Up to 9 Set Keys), Check Content No
Change Default Settings Register, Initialize No
Settings of Access Stored File
Register/Edit Favorite Settings Register/Edit, Delete (Up to 9 Set Keys), Check Content No
Change Default Settings Register, Initialize No
Mail Box Settings
Mail Box Settings
Mail Box No. 00 to 99 No
Register Box Name 24 characters maximum Yes
PIN Seven digits Yes
Time Until Document Auto Delete 0 (Off), 1, 2, 3*, 6, 12 hours, 1, 2, 3, 7, 30 days No
URL Send Settings - Yes
Print upon Storing from Printer Driver On, Off* Yes
Initialize - No
Store/Access Files
* Default Setting
Canon imageRUNNER ADVANCE Hardening Guide
23
Item Setting Description Device Information Delivery Available
Address ListAddress Book 1 to 10, One-touch No
Print List: Print No
Register Destinations Register New Dest., Details/Edit, Delete, Search by Name Yes
Register Address List Name Register Name Yes
Register One-touch Register/Edit, Delete Yes
Change Default Display of Address Book Local*, LDAP Server, Remote No
Address Book PIN Seven digit number Yes
Manage Address Book Access Number On, Off* Yes
Item Setting Description Device Information Delivery Available
Settings for All Mail Boxes
Time Until Document Auto Delete 0 (Off), 1, 2, 3*, 6, 12 hours, 1, 2, 3, 7, 30 days No
Print upon Storing from Printer Driver On, Off* No
Box Security Settings
Limit Box PIN to 7 Digits/Re-strict Access On, Off* Yes
Disp. Print When Storing form Printer Driver On*, Off Yes
Advanced Box Settings
Open to Public By SMB, By WebDAV, Off* Yes
Allow to Create Personal Space On*, Off Yes
WebDAV Server Settings
Authentication Type Basic, Off* Yes
Use SSL On, Off* Yes
Delete All Personal Spaces Delete No
Initialize Shared Space Initialize No
Prohibit Writing from External On*, Off Yes
Authentication Management On, Off* Yes
File Formats Allowed for Storing Printable Formats Only, Common Office Formats, All Yes
Network Settings
Network Place Settings Register, Details, Delete No
Protocol for External Reference
SMB On*, Off No
WebDAB On*, Off No
Memory Media Settings
Use Scan/Print Function
Use Scan Function On*, Off Yes
Use Print Function On*, Off Yes
Item Setting Description Device Information Delivery Available
Only Allow Encrypted Print Jobs*1 On, Off* Yes
Encrypted Secure Print
* Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.
Set Destination
*Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.
24
Canon imageRUNNER ADVANCE Hardening Guide
Item Setting Description Device Information Delivery Available
Require Password for Exporting Address Book On*, Off Yes
Register LDAP Server Receive Type, Validate/Invalidate, Register, Details/Edit, Delete, Forward w/o Conditions, Print List, E-Mail Priority No
Auto Search When Using LDAP Server On* Off Yes
Acquire Remote Address Book
Acquire Address Book On, Off* Yes
Remote Address Book Server Address IP Address or Host Name (128 characters maximum) No
Communication Timeout 15 to 120seconds (30seconds*) Yes
Fax TX Line Auto Select Adjustment On*, Off Yes
Make Remote Address Book Open
Make Remote Address Book Open On, Off* Yes
Item Setting Description Device Information Delivery Available
System Manager Information Settings
System Manager ID Seven digit number maximum (7654321*) Yes
System PIN Seven digit number maximum (7654321*) Yes
System Manager 32 characters maximum Yes
E-Mail Address 64 characters maximum Yes
Contact Information 32 characters maximum Yes
Comment 32 characters maximum Yes
Department ID Management
Department ID Management On, Off* Yes
Register PIN Register, Edit, Delete, Limit Functions Yes
Page Totals Clear, Print List, Clear All Totals, Large2 Count Management No
Allow Printer Jobs With Unknown IDs On*, Off Yes
Allow Remote Scan Jobs With Unknown IDs On*, Off Yes
Allow Black Copy/ Mail Box Print Jobs On, Off* Yes
Allow Black Printer Jobs On, Off* Yes
Management Settings/User Management
* Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.
Management Settings/Device Management
* Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.
Item Setting Description Device Information Delivery Available
Device Information Settings
Device Name 32 characters maximum No
Location 32 characters maximum No
Device Information Delivery Settings
Register Destinations
Auto Search/Register, Register, Details, Delete, Print List
Auto Search/Register• List• Select All• Search Depth (Router): 1 to 8• Display Host Name: On, Off• Start Auto Search
Canon imageRUNNER ADVANCE Hardening Guide
25
Item Setting Description Device Information Delivery Available
Set Auto Delivery Every day, Specify Days, Off*
Settings/Registration Value On, Off*Network Settings: Include, Exclude
Dept. ID On, Off*
Address Book On, Off*
Web Access Favorites On, Off*
Printer Settings On, Off*
Paper Information On, Off*
Workflow Composer On, Off*
Manual Delivery
Settings/Registration Value On, Off*Network Settings: Include, Exclude
Dept. ID On, Off*
Address Book On, Off*
Web Access Favorites On, Off*
Printer Settings On, Off*
Paper Information On, Off*
Workflow Composer On, Off*
Restrictions for Receiving Device Info. On*, Off
Restore Data Settings/Registration Value, Dept. ID, Address Book, Printer Settings, Paper Information
Receive Restriction for Each Function
Settings/Registration Value On*, Off
Dept. ID On*, Off
Address Book On*, Off
Web Access Favorites On*, Off
Printer Settings On*, Off
Paper Information On*, Off
Workflow Composer On*, Off
Communication Log
Details, Print List, Report Settings
Report Settings• Auto Print (100 transmissions): On*, Off
• Specify Print Time: On, Off*
• 00: 00* to 23:59
• Separate Report Type: On, Off*
Limited Functions Mode On, Off* No
Limit Functions When Security Key is Off* Partial Functions*, All Functions Yes
Confirm Device Signature Certificate Certificate Details: Certificate No
Check User Signature Certificate Certificate Details: Certificate No
Certificate Settings
Generate Key
Generate Network Communication Key
Key Name 24 characters maximum No
Signature Algorithm SHA1*, SHA256, SHA384, SHA512 No
Key Algorithm RSA, Display only No
Key Length(bit) 512*,1024, 2048, 4096 No
Start Date of Validity Month, Date, Year (2000/01/01-2037/12/31) No
End Date of Validity Month, Date, Year (2000/01/01-2037/12/31) No
Country/Region Country/Region name and code (2 characters maximum) No
State 24 characters maximum No
City 24 characters maximum No
Organization 24 characters maximum No
Organization Unit 24 characters maximum No
26
Canon imageRUNNER ADVANCE Hardening Guide
Item Setting Description Device Information Delivery Available
Common Name IP address or FQDN (41 characters maximum) No
Generate/Update Device Signature Key - No
Key and Certificate List: Key and Certificate List for this Machine Editing Key Pairs and Server Certificates Confirming a Key Pair and Device Certificate
Certificate DetailsVersion/Serial Number/Signature Algorithm/IssueDestination/Start Date of Validity/End Date of Validity/ Issuer/ Public Key/Cert. Thumbprint/Certificate
No
Delete -
Display Use Location Displays what the key pair is being used for No
Certificate Settings: Key and Certificate List: Key and Certificate List for Users*
Certificate DetailsVersion/Serial Number/Signature Algorithm/Issue Destination/Start Date of Validity/End Date of Validity/ Issuer/Public Key/Cert. Thumbprint/Certificate
No
Delete - No
Certificate Settings: CA Certificate List
Certificate DetailsVersion/Serial Number/Signature Algorithm/Issue Destination/Start Date of Validity/End Date of Validity/ Issuer/Public Key/Cert. Thumbprint/Certificate
No
Delete - No
Certificate Settings: Register Key and Certificate
Register Key Name (24 characters maximum) Password (24 characters maximum) No
Delete - No
Display Asterisks For Confidential Info. On*, Off Yes
Display Status Before Authentication On*, Off No
Display Log
On*, Off No
On• Obtain Job Log From Management Software: Permit, Do Not Allow*
No
Audit Log Retrieval On, Off* No
Format Encryption Method to FIPS 140-2 On, Off* No
Item Setting Description Device Information Delivery Available
Register License 24 characters maximum No
MEAP Settings
Print System Information Print No
Use SSL On, Off* No
Remote UI On*, Off Yes
Use SSL On, Off* No
Use Reference Print On, Off* Yes
Delete Message Board Contents Clear No
Remote Operation SettingsOn, Off*
NoOn: Password (Max 8 characters)
Register/Update Software
Install Applications/Options License Access Number (4 digits at a time.) No
Software Management Settings
Select Log Display Display Update Logs, Display System Logs No
Test Communication - No
Management Settings: License and other
Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.
Canon imageRUNNER ADVANCE Hardening Guide
27
Item Setting Description Device Information Delivery Available
HDD Data Complete Deletion*
Timing of Deletion During Job*, After Job No
Deletion ModeOverwrite Once With 0 (Null) Data*, Overwrite 1 Time With Random Data, Overwrite 3 Times With Random Data, DOD Standard
No
Initialize All Data/Settings License cannot be reused No
TPM Settings Backup TPM Key, Restore TPM Key No
Management Settings: Data management
Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.
28
Canon imageRUNNER ADVANCE Hardening Guide